Android Smartphones Can't Keep Your Secrets
By: Jim Stickley and Tina Davis
October 10, 2018
Is your smartphone giving up your secrets? The answer may be “yes” and it’s a huge blow to the smartphone industry and their customers. The Department of Homeland Security (DHS) recently announced the results of research on smartphone vulnerabilities – and they’re not good. A mobile security firm, Kryptowire, found security flaws in the way Android devices are manufactured. They allow hackers to exploit an opening, potentially giving access to all of the data on your smartphone or device – emails, texts, location, and…well, you know the rest. DHS program manager, Vincent Sritapan, recently addressed this finding at the Black Hat USA Cybersecurity Conference in Las Vegas.
This revelation begs the question, have millions of Android users and their PII (Personally Identifiable Information) been hacked? According to Mr. Sritapan, although the flaws “escalate privileges and take over the device,” the researchers have yet to see evidence that hackers have cashed-in on this weakness. In February of this year, the DHS notified smartphone manufactures about the vulnerability.
The flaw was first detected in mobile devices by BLU (Bold Like Us) sold worldwide at outlets like Amazon and Best Buy. The Florida-based company builds their phones in China and sells them in the U.S., some for under $200. That’s quite a bargain for consumers, but they didn’t bargain on their phone coming equipped with pre-installed firmware that regularly transmits their PII back to Chinese manufacturers. Recently, other Android device sellers discovered the same weakness in their phones. If you’ve never heard of BLU, you’ve certainly heard of AT&T, Verizon, Sprint, and T-Mobile. Potentially, the PII of over 700 million users worldwide has been compromised.
According to Kryptowire, the firmware works by bypassing anti-virus tools. It’s software that’s built-in to the device during manufacturing and therefore can’t be recognized as malware by anti-virus software.
What does the Android smartphone community do with these findings and how do they protect themselves going forward? Keeping devices secure is an ongoing and constantly evolving process. Common sense tactics are a great first step, including avoiding buying a device from outlets that aren’t trusted or you’re not familiar with. Always keep software up-to-date as soon as it’s available, especially the latest security patches. Unpatched vulnerabilities are often how the cybercriminals get malware onto devices. You can download antivirus security that detects factory-installed malware, but always download it from an official, trusted source and never sideload any apps. Get them from the official app stores for whatever device you use. While there most certainly are safe applications that are not found in the app stores, anything that does go into these goes through some extra security scrutiny before being allowed in. Of course, that’s not to say these are 100% guaranteed safe too. But, your risk is certainly lower. Just be sure to read the reviews from others and if they don’t sound good, skip that app. There is usually another one that is safe and trusted.